Page 1 of 9 I. Policy The HIPAA Privacy Rule and HITECH regulations provide patients and their legally authorized representatives with a right to access, to inspect and to obtain a copy of the patient s protected health information in medical and billing records maintained and retained by a covered entity. This document describes how UW-Madison complies with the Privacy Rule s right to access and defines the limited circumstances in which access to medical and/or billing records may be denied. In the remainder of this policy, the term patient refers to the patient or his/her legally authorized representative. II. Definitions A. Covered Entity: A health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA. B. Designated Record Set: A group of records so designated which are maintained by or for the UW-Madison Health Care Component and which (1) includes the medical and billing records about individuals maintained by a health care provider; and (2) are used in whole or in part for the health care provider to make decisions about individuals. The term record means any item, collection or grouping of information that includes protected health information and is maintained, collected, used or disseminated by or for a health care provider. C. HITECH: The Heath Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to promote the adoption and meaningful use of health information technology.
Page 2 of 9 D. ( PHI ): Health information, or healthcare payment information, including demographic information, which identifies the individual or can be used to identify the individual. PHI does not include student records held by educational institutions or employment records held by employers. E. Psychotherapy Notes: Notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual s medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. F. UW-Madison Health Care Component ( UW HCC ): Those units of the that have been designated by the University as part of its health care component under HIPAA. See Privacy Policy # 1.1 Designation of UW-Madison Health Care Component for a listing of these units. III. Procedures A. Each applicable UW HCC unit must designate a staff member or office to receive and process requests for access to or copies of medical or billing records. B. An individual must make a request to a staff member for access to inspect or obtain a copy of the individual s medical or billing records. The UW HCC unit may require that this request be in writing provided that the patient is informed of this requirement in advance. A record of the request must be maintained by the UW HCC unit.
Page 3 of 9 1. The individual has the right to request access to inspect or copy his/her medical or billing records which are part of the designated record set (see Privacy Policy # 7.2 Requests by Patients to Amend Protected Health Information for more on the designated record set). C. The UW HCC unit may limit access to medical and billing records to the business hours during which the unit is open. D. The UW HCC unit will take action within 30 days after receipt of the request. The UW HCC unit may take one 30-day extension but, within the original time limit, must notify the individual in writing of the reasons for the delay and the date by which it will process the access request. E. The request of an individual for access to the individual s medical or billing records will be granted unless one of the grounds for denial, listed below in III.G. or III.H., is present. F. Granting of Request for Access 1. The patient and the UW HCC unit will arrange a mutually convenient time and place for the individual to inspect or obtain a copy, or both, of the requested PHI. The individual may request that this copy be mailed. 2. If the individual directs the UW HCC unit to transmit a copy of the PHI directly to another person designated by the individual, the UW HCC unit must provide a copy to such designated person. The individual s request must be in writing, signed by the individual, and must clearly identify the designed person and where to send the copy of the PHI. 3. The UW HCC unit must provide the patient with access to the PHI in the requested form or format, if it is readily producible in such form or format. If the PHI is not readily producible in the requested form or format, the UW HCC unit must provide
Page 4 of 9 the patient with a readable hard copy form, or other form and format as agreed to by the patient and the UW HCC unit. 4. If the PHI requested is maintained in one or more designated record sets electronically and the individual requests an electronic copy, the UW HCC unit must provide the individual with access to the PHI in the electronic form and format requested by the individual, if readily producible in such form and format. If the PHI is not readily producible in the requested electronic form and format, the UW HCC unit must provide the patient with a readable electronic form and format as agreed to by the patient and the UW HCC unit. 5. The UW HCC unit may provide the patient with a summary of the PHI requested, in lieu of providing access to the PHI, or may provide an explanation of the PHI to which access has been provided, if the patient agrees in advance to such a summary or explanation and to the fees imposed, if any, by the UW HCC unit for the summary or explanation. 6. If the patient requests a copy of the PHI or agrees to a summary or explanation of such information, the UW HCC unit may impose a reasonable, cost-based fee, provided that the fee includes only the cost of (a) copying; (b) postage (when the patient has requested the copy, summary, or explanation be mailed); and (c) preparing an explanation or summary of the PHI, if agreed to by the patient in lieu of providing access to the PHI. 7. If, after inspection of the PHI, the patient feels it is inaccurate or incomplete, the patient has the right to request an amendment to the PHI. The UW HCC unit shall process requests for amendment as detailed in Privacy Policy #7.2 Requests by Patients to Amend.
Page 5 of 9 G. Grounds for Denial Where No Opportunity for Review Is Required 1. Patients are not allowed access to or copies of the following types of information and denials of access to or copies of this information are not subject to review: a. Psychotherapy notes (defined above); b. Information compiled in anticipation of or use in a civil, criminal, or administrative action or proceeding; c. PHI that is exempt from CLIA, pursuant to 42 CFR 493.3(a)(2) (i.e., PHI created in research laboratories that test human specimens but do not report patient specific results for diagnosis, treatment or health assessment of individual patient. 2. The UW HCC unit may deny a patient access to or copies of the following types of PHI without providing the patient an opportunity for review: a. PHI created or obtained in the course of treatment-related research for which access has been temporarily suspended for as long as the research is in progress, provided that the patient has agreed to the denial of access when consenting to participate in the research and has been informed that the right of access will be reinstated upon completion of the research; b. Records that are subject to the Privacy Act of 1974 and the denial of access meets the requirement of that law (note: the Privacy Act of 1974 applies to records held by agencies of the federal government only and therefore this provision is generally inapplicable to UW-Madison); and
Page 6 of 9 c. PHI that was obtained from someone other than a healthcare provider under a promise of confidentiality and access would likely reveal the source of the information. H. Grounds for Denial Where Opportunity for Review of Denial Must Be Provided. The UW HCC unit may deny a patient access to his/her own PHI, provided that the patient is given an opportunity to have the denial reviewed, in the following circumstances: 1. A licensed healthcare professional has determined that the access is reasonably likely to endanger the life or physical safety of the patient or another person; 2. The PHI makes reference to another person who is not a healthcare provider, and a licensed healthcare professional has determined that the access requested is reasonably likely to cause substantial harm to such other person; 3. The request for access is made by the patient s legally authorized representative and a licensed healthcare professional has determined that the provision of access to such representative is reasonably likely to cause substantial harm to the patient or another person. I. Procedures for Denial of Access 1. When access is denied, the UW HCC unit will provide a written denial to the patient. The denial must be provided within 30 days after receipt of the request for access. The UW HCC unit may take one 30- day extension but, within the original time limit, must notify the patient in writing of the reasons for the delay and the date by which it will process the access request. 2. The denial must be in plain language and must contain:
Page 7 of 9 a. The basis for the denial; b. A statement of the patient s review rights, if any, including a description of how the patient may exercise such review rights; and c. A description of how the patient may complain to UW- Madison (see section J. below) or to the Secretary of the U.S. Department of Health and Human Services. The description must include the name, or title, and telephone number of the UW-Madison HIPAA Privacy Officer. 3. If the UW HCC unit denies access because the UW HCC unit does not have the PHI that is the subject of the request and the UW HCC unit knows where that PHI is maintained, the UW HCC unit will inform the patient where to direct the request for access. 4. The UW HCC unit will, to the extent possible, give the patient access to or copies of any other PHI requested, after removing the PHI to which the UW HCC unit has grounds to deny access. J. Review of Denial of Access 1. If access is denied on a ground that requires an opportunity for review of the denial, the patient has the right to have the denial reviewed by a licensed health care professional who is designated by the UW HCC unit to act as a reviewing official and who did not participate in the original decision to deny. If feasible, the review should be done by a professional who is a supervisor of the person making the denial or another person in that clinic.
Page 8 of 9 2. The patient must initiate the review of a denial by making a request for review to the UW HCC unit. If the patient has requested a review, the UW HCC unit will provide or deny access in accordance with the determination of the reviewing professional, who will make the determination within a reasonable period of time. 3. The UW HCC unit will promptly provide written notice to the patient of the determination of the reviewing professional. No further review of the denial is required. IV. Documentation Requirements The UW HCC unit must document the following and retain the documentation for six years from the date of its creation or the date when it last was in effect, whichever is later: V. Forms A. The medical and billing records that are subject to access by patients; B. The titles of the persons or offices responsible for receiving and processing requests for access by individuals; and C. Any written denials sent to patients. Sample Letter Notifying of Need for 30 Day Extension Sample Letter Denying Individual s Request to Obtain a Copy of Protected Health Information VI. References 45 CFR 164.524 (HIPAA Privacy Rule) 51.61(1)(n), Wisconsin Statutes
Page 9 of 9 VII. Related Policies Policy Number 7.2 Requests by Patients to Amend VIII. For Further Information For further information concerning this policy, please contact the UW-Madison HIPAA Privacy Officer or the appropriate unit HIPAA Privacy Coordinator or sub- Coordinator. Contact information is available within the Contact Us tab at hipaa.wisc.edu. Reviewed By Chancellor Chancellor s Task Force on HIPAA Privacy UW-Madison HIPAA Privacy Officer UW-Madison Office of Legal Affairs Approved By Interim HIPAA Privacy and Security Operations Committee